diff --git a/l2detect/DebugDlg.cpp b/l2detect/DebugDlg.cpp index ddc2e30..3e8fd20 100644 --- a/l2detect/DebugDlg.cpp +++ b/l2detect/DebugDlg.cpp @@ -288,12 +288,21 @@ void DebugDlg_OnBnClickedValidateInterception( HWND hDlg ) { hDlg = NULL; Hook_ValidateInterception_my(); + Hook_CheckVirtualProtect(); + Hook_check_func_prolog( L"ws2_32.dll", "WSAConnect", original_ws2_32_WSAConnect_6_bytes ); + Hook_check_func_prolog( L"ws2_32.dll", "WSASend", original_ws2_32_WSASend_6_bytes ); + Hook_check_func_prolog( L"ws2_32.dll", "WSARecv", original_ws2_32_WSARecv_6_bytes ); } void DebugDlg_OnBnClickedInterceptConnect( HWND hDlg ) { hDlg = NULL; Hook_InterceptConnect_my(); + if( !Hook_ValidateInterception_my() ) + { + log_error( LOG_ERROR, "Seems like my try to intercept ws2_32.dll!connect() failed.\n" ); + log_error( LOG_ERROR, "All network connections will not be intercepted!\n" ); + } } void DebugDlg_OnBnClickedCheckVP( HWND hDlg ) diff --git a/l2detect/L2Detect.rc b/l2detect/L2Detect.rc index c01987c..b9be56c 100644 --- a/l2detect/L2Detect.rc +++ b/l2detect/L2Detect.rc @@ -91,7 +91,7 @@ BEGIN CONTROL "char_name",IDC_CHARNAME,"Static",WS_CHILD|WS_VISIBLE|WS_GROUP|SS_SUNKEN,7,76,251,11 CONTROL "Enable Console",IDC_B_CONENABLE,"Button",WS_CHILD|WS_VISIBLE|WS_TABSTOP,65,42,64,14 CONTROL "Disable Console",IDC_B_CONDISABLE,"Button",WS_CHILD|WS_VISIBLE|WS_TABSTOP,141,42,63,14 - CONTROL "Validate Interception",IDC_B_VALIDATEINTERCEPT,"Button",WS_CHILD|WS_VISIBLE|WS_TABSTOP,6,94,92,15 + CONTROL "Check Interceptions",IDC_B_VALIDATEINTERCEPT,"Button",WS_CHILD|WS_VISIBLE|WS_TABSTOP,6,94,92,15 CONTROL "Intercept connect",IDC_B_INTERCEPTCONNECT,"Button",WS_CHILD|WS_VISIBLE|WS_TABSTOP,106,94,80,15 CONTROL "Check VP",IDC_B_CHECK_VIRTUALPROTECTEX,"Button",WS_CHILD|WS_VISIBLE|WS_TABSTOP,190,94,60,15 CONTROL "Load L2Walker.dll",IDC_B_LOADWALKER,"Button",WS_CHILD|WS_VISIBLE|WS_TABSTOP,7,116,75,14 diff --git a/l2detect/main.cpp b/l2detect/main.cpp index e8f6d4c..86c7240 100644 --- a/l2detect/main.cpp +++ b/l2detect/main.cpp @@ -124,12 +124,12 @@ DWORD WINAPI DllThread(LPVOID lpParam) log_error( LOG_WARNING, "Maybe we're running in GameGuard protected program?\n" ); log_error( LOG_WARNING, "Be careful!\n" ); } - Hook_InterceptConnect_my(); - if( !Hook_ValidateInterception_my() ) - { - log_error( LOG_ERROR, "Seems like my try to intercept ws2_32.dll!connect() failed.\n" ); - log_error( LOG_ERROR, "All network connections will not be intercepted!\n" ); - } + //Hook_InterceptConnect_my(); + //if( !Hook_ValidateInterception_my() ) + //{ + // log_error( LOG_ERROR, "Seems like my try to intercept ws2_32.dll!connect() failed.\n" ); + // log_error( LOG_ERROR, "All network connections will not be intercepted!\n" ); + //} //Hook_InterceptConnect_Dis(); // this unused.. #ifdef _MSC_VER } diff --git a/l2detect/net_hook.h b/l2detect/net_hook.h index abb8f13..7de9f8f 100644 --- a/l2detect/net_hook.h +++ b/l2detect/net_hook.h @@ -12,6 +12,18 @@ bool Hook_ValidateInterception_my(); bool Hook_IsWinsockConnectOrig(); bool Hook_CheckVirtualProtect(); +// checking hooks +extern const unsigned char original_ws2_32_connect_6_bytes[6]; +extern const unsigned char original_ws2_32_recv_6_bytes[6]; +extern const unsigned char original_ws2_32_send_6_bytes[6]; +extern const unsigned char original_ws2_32_WSAConnect_6_bytes[6]; +extern const unsigned char original_ws2_32_WSARecv_6_bytes[6]; +extern const unsigned char original_ws2_32_WSASend_6_bytes[6]; +extern const unsigned char original_vpex_6_bytes[6]; +extern const unsigned char l2walker_connect_6_bytes[6]; +// ^^ orig_bytes +bool Hook_check_func_prolog( LPCWSTR dllName, LPCSTR funcName, const unsigned char *orig_bytes ); + int __stdcall connect_hook_my( unsigned int sock, void *sockaddr, int addrlen ); int __stdcall connect_nohook_my( unsigned int sock, void *sockaddr, int addrlen ); diff --git a/l2detect/net_hook_my.cpp b/l2detect/net_hook_my.cpp index fb80519..cbc7883 100644 --- a/l2detect/net_hook_my.cpp +++ b/l2detect/net_hook_my.cpp @@ -70,6 +70,7 @@ void Hook_InterceptConnect_my() if( Proxied_VirtualProtectEx ) log_error( LOG_WARNING, "Hook_InterceptConnect_my(): Using proxied VirtualProtectEx!\n" ); + ErrorLogger_FlushLogFile(); BOOL ret; DWORD old_protect = 0, old_protect_2 = 0; @@ -137,13 +138,13 @@ bool Hook_check_func_prolog( LPCWSTR dllName, LPCSTR funcName, const unsigned ch HINSTANCE hDll = GetModuleHandleW( dllName ); if( !hDll ) { - log_error( LOG_WARNING, "Hook_check_func_prolog(): module [%ls] not found!\n", dllName ); + log_error( LOG_WARNING, "Hook_check_func_prolog(): module [%S] not found!\n", dllName ); return false; } unsigned int func_addr = (unsigned int)GetProcAddress( hDll, funcName ); if( func_addr == 0 ) { - log_error( LOG_WARNING, "Hook_check_func_prolog(): module [%ls] does not have func [%s]\n", dllName, funcName ); + log_error( LOG_WARNING, "Hook_check_func_prolog(): module [%S] does not have func [%s]\n", dllName, funcName ); return false; } // read prolog @@ -154,15 +155,16 @@ bool Hook_check_func_prolog( LPCWSTR dllName, LPCSTR funcName, const unsigned ch // compare if( memcmp( cur, orig_bytes, 6 ) == 0 ) { - log_error( LOG_OK, "Hook_check_func_prolog(): %ls ! %s() prolog OK\n", dllName, funcName ); + log_error( LOG_OK, "Hook_check_func_prolog(): %S!%s() prolog OK\n", dllName, funcName ); ErrorLogger_FlushLogFile(); return true; } // not equal log_error( LOG_WARNING, - "Hook_check_func_prolog(): %ls.%s() prolog modified, dump of machine codes:\n" + "Hook_check_func_prolog(): %S!%s() prolog modified, dump of machine codes:\n" " current : %02X %02X %02X %02X %02X %02X\n" " orig : %02X %02X %02X %02X %02X %02X\n", + dllName, funcName, (int)cur[0], (int)cur[1], (int)cur[2], (int)cur[3], (int)cur[4], (int)cur[5], (int)orig_bytes[0], (int)orig_bytes[1], (int)orig_bytes[2], (int)orig_bytes[3], (int)orig_bytes[4], (int)orig_bytes[5]